[Japanese]
|
JVNDB-2021-000074
|
Multiple vulnerabilities in RevoWorks Browser
|
RevoWorks Browser provided by J's Communication Co., Ltd. is a virtual browser which enables internet isolation.
It provides the function that enables access to drives, folders, files, and registries under the isolated environment from the local environment when running the web browser.
RevoWorks Browser contains multiple vulnerabilities listed below due to the improper control of access and program execution between the local environment and the isolated environment.
* Improper control of Program execution (CWE-114) - CVE-2021-20790
* Improper access control (CWE-284) - CVE-2021-20791
J's Communication Co., Ltd. reported these vulnerabilities to IPA to notify users of the solution through JVN. JPCERT/CC and J's Communication Co., Ltd. coordinated under the Information Security Early Warning Partnership.
|
CVSS V3 Severity: Base Metrics 8.6 (High) [IPA Score]
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVSS V2 Severity: Base Metrics 6.8 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Medium
- Authentication: None
- Confidentiality Impact: Partial
- Integrity Impact: Partial
- Availability Impact: Partial
The above CVSS base scores have been assigned for CVE-2021-20790
|
CVSS V3 Severity:
Base Metrics
5.2 (Medium) [IPA Score]
-
Attack Vector: Local
-
Attack Complexity: Low
-
Privileges Required: Low
-
User Interaction: None
-
Scope: Changed
-
Confidentiality Impact: Low
-
Integrity Impact: Low
-
Availability Impact: None
CVSS V2 Severity:Base Metrics
3.2 (Low)
[IPA Score]
-
Access Vector: Local
-
Access Complexity: Low
-
Authentication: Single
-
Confidentiality Impact: Partial
-
Integrity Impact: Partial
-
Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20791
|
|
J's Communication Co., Ltd.
- RevoWorks Browser 2.1.230 and earlier
|
According to the developer, RevoWorks Browser 2.0.x is not affected by these vulnerabilities.
|
* An arbitrary command or code may be executed on the web browser of the user which is running under the isolated environment - CVE-2021-20790
* Unauthorized files may be exchnaged between the local environment and the isolated environment or settings of the web browser may be altered - CVE-2021-20791
|
[Update the software]
Update the software to the latest version according to the information provided by the developer.
The developer has released RevoWorks Browser 2.2.50 that addresses the vulnerabilities.
|
J's Communication Co., Ltd.
|
- Permissions(CWE-264) [IPA Evaluation]
- No Mapping(CWE-Other) [IPA Evaluation]
|
- CVE-2021-20790
- CVE-2021-20791
|
- JVN : JVN#81658818
- National Vulnerability Database (NVD) : CVE-2021-20790
- National Vulnerability Database (NVD) : CVE-2021-20791
|
- [2020/09/10]
Web page was published
|